POLICY NUMBER:
400.14
ADOPTED:
6.13.2017
Board Policy
- The District’s Protected Health Information Privacy Policy is designed to comply with the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA restricts the District’s ability to use and disclose protected health information.
- The Board authorizes the Superintendent and District Administration to establish administrative regulations consistent with this policy.
ADMINISTRATIVE REGULATION:
400.14-1
APPROVED:
6.13.2017
Definitions - 400.14-1
- Protected health information (PHI): Information created or received by the Plan and related to the past, present, or future physical or mental health or condition of a participant and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. Protected health information includes information of persons living or deceased.
- Workforce: The District’s workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, volunteers, trainers, and other persons whose work performance is under the direct control of the District, whether or not they are paid by the District.
- Employee: Includes all types of workers listed above.
- Privacy Official: The Privacy Official will serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI.
ADMINISTRATIVE REGULATION:
400.14-2
APPROVED:
6.13.2017
Regulation - 400.14-2
- Canyons School District (the District) self-administers a group health plan (the Plan). Members of the District’s workforce have access to individually identifiable health information of Plan participants (1) on behalf of the Plan itself; or (2) on behalf of the District, for administrative functions of the Plan. Members of the District’s workforce who have access to PHI must comply with this privacy policy. No third party rights, including, but not limited to, rights of Plan participants, beneficiaries, covered dependents or business associates, are intended to be covered by this policy. The District reserves the right to amend or change this policy at any time (and even retroactively) without notice.
ADMINISTRATIVE REGULATION:
400.14-3
APPROVED:
6.13.2017
Plan’s Responsibilities as Covered Entity - 400.14-3
- Privacy Official and Contact Person
- The Coordinator of Insurance shall be the Privacy Official for the Plan.
- Workforce Training
- Employees with access to PHI will receive training on privacy policies and procedures. A training schedule will be developed so that all employees with access to PHI receive the training necessary and appropriate to permit them to carry out their functions within the Plan.
- Technical and Physical Safeguards and Firewall
- Technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements will be implemented. Technical safeguards include limiting access to information by creating computer firewalls. Physical safeguards include locking doors or filing cabinets.
- Privacy Notice
- A privacy notice will be sent to Plan participants informing them that the District has access to PHI in connection with the its Plan administrative functions. The privacy notice will also inform them of the District’s complaint procedures, the name and telephone number of the contact person, and the date of the notice.
- The notice of the privacy practices will be placed on the District’s website. The notice will also be individually delivered to all participants:
- At a time of an individual’s enrollment in the Plan
- To a person requesting the notice; and
- Within 60 days after a material change to the notice.
- The Plan will also provide notice of availability of the privacy notice at least once every three years.
- Complaints
- The Coordinator of Insurance will be the Plan’s contact person for receiving complaints.
- Sanctions for Violations of Privacy Policy
- Sanctions for using or disclosing PHI in violation of this HIPAA privacy policy will be imposed in accordance with District policy, up to and including termination.
- Mitigation of Inadvertent Disclosures of Protected Health Information
- Any harmful effect due to an unauthorized disclosure of an individual PHI will be mitigated to the extent possible. If an employee becomes aware of a disclosure of protected health information, either by an employee of the Plan or an outside consultant/contractor, that is not in compliance with this policy, the Privacy Official shall be contacted so that the appropriate steps to mitigate the harm to the participant can be taken.
- No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
- No intimidation, discrimination, or other retaliatory action will be taken against an individual for exercising their right to file a complaint, participate in an investigation, or oppose any improper practice under HIPAA.
- No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.
- Plan Document
- The Plan document shall include provisions to describe the permitted and required uses and disclosures of PHI administrative purposes.
- Specifically, the Plan document shall require the District to:
- Not use or further disclose PHI other than as permitted by the Plan documents or as required by law;
- Ensure that any agents or subcontractors to whom it provides PHI received from the Plan agree to the same restrictions and conditions that apply to the District;
- Not use or disclose PHI for employment-related actions or in connection with any other employee benefit plan;
- Report to the Privacy Official any use or disclosure of the information that is inconsistent with the permitted uses or disclosures;
- Make PHI available to Plan participants, consider their amendments and, upon request, provide them with an account of PHI disclosures;
- Make the District’s internal practices and records relating to the use and disclosure of PHI received from the Plan available to the Department of Health and Human Services (DHHS) upon request; and
- If feasible, return or destroy all PHI received from the Plan that the District still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
- The Plan document must also require the District to (1) certify to the Privacy Official that the Plan documents have been amended to include the above restrictions and that the District agrees to those restrictions; and (2) provide adequate firewalls.
- Documentation
- The privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures shall be changed as necessary or appropriately to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations).
- The privacy policy shall be revised and made available if a change in law impacts the privacy notice. However, such change is effective only with respect to PHI created or received after the effective date of the notice.
- Documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. The Plan will maintain such documentation for at least six years.
ADMINISTRATIVE REGULATION:
400.14-4
APPROVED:
6.13.2017
Policies on Use and Disclosure of PHI - 400.14-4
- Use and Disclosure Defined: The District and the Plan will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows:
- Use: The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Insurance Office of the District, or by a Business Associate of the Plan.
- Disclosure: For information that is protected health information, disclosure means any release, transfer provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working with the Insurance Office of the District.
- Workforce Must Comply With District’s Policy and Procedures
- All employees with access to PHI must comply with this policy.
- Access to PHI is Limited to Certain Employees: The following employees have access to PHI:
- Coordinator of Insurance who performs functions directly on behalf of the group health plan.
- Employees in the District Insurance Office who have access to PHI on behalf of the District for use while performing daily responsibilities
- These employees may use and disclose PHI for Plan administrative functions, and may disclose PHI to other employees with access for plan administrative functions. Employees with access may not disclose PHI to other employees unless an authorization is in place or the disclosure is otherwise in compliance with this policy.
- Permitted Uses and Disclosures:
- Payment and Health Care Operations: PHI may be disclosed to another covered entity for the payment purposes of that covered entity. Payment: Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill the Plan’s responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care. Payment also includes:
- Eligibility and coverage determinations, including coordination or benefits and adjudication or subrogation of health benefit claims;
- Risk adjusting based on enrollee status and demographic characteristics; and
- Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess loss insurance) and related health care data processing.
- PHI may be disclosed for purposes of the Plan’s own health care operations. PHI may be disclosed to another covered entity for purposes of the other covered entity’s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship.
- Health Care Operations: Health care operations means any of the following activities to the extent that they are related to Plan administration [need to tailor to Plan functions]:
- Conducting quality assessment and improvement activities;
- Reviewing health plan performance;
- Underwriting and premium rating;
- Conducting or arranging for medical review, legal services and auditing functions;
- Business planning and development; and
- Business management and general administrative activities.
- Health Care Operations: Health care operations means any of the following activities to the extent that they are related to Plan administration [need to tailor to Plan functions]:
- Payment and Health Care Operations: PHI may be disclosed to another covered entity for the payment purposes of that covered entity. Payment: Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill the Plan’s responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care. Payment also includes:
- No Disclosure of PHI for Non-Health Plan Purposes:
- PHI may not be used or disclosed for the payment or operations of the District’s “non-health” benefits (e.g., disability, workers’ compensation, life insurance, etc.), unless the participant has provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.
- Mandatory Disclosures of PHI: to Individual and Department of Health & Human Services (DHHS): A particular PHI must be disclosed as required by HIPAA in two situations:
- The disclosure is to the individual who is the subject of the information (see the policy for “Access to Protected Information and Request for Amendment” that follows).
- The disclosure is made to DHHS for purposes of enforcing of HIPAA.
- PHI may be disclosed in the following situations without a participant’s authorization, when specific requirements are satisfied:
- About victims of abuse, neglect or domestic violence;
- For judicial and administrative proceedings;
- For law enforcement purposes;
- For public health activities;
- For health oversight activities about decedents;
- For cadaveric organ, eye or tissue donation purposes;
- For certain limited research purposes;
- To avert a serious threat to health or safety;
- For specialized government functions; and
- That relate to workers’ compensation programs.
- Disclosures of PHI Pursuant to an Authorization
- PHI may be disclosed for any purpose if the participant provides an authorization. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.
- Complying With the “Minimum-Necessary” Standard: When PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure.
- The “minimum necessary” standard does not apply to any of the following:
- Uses or disclosures made to the individual;
- Uses or disclosures made pursuant to a valid authorization;
- Disclosures made to the Department of Labor (DOL);
- Uses or disclosures required by law; and
- Uses or disclosures required to comply with HIPAA.
- All other disclosures must be reviewed on an individual basis with the Privacy Official to ensure that the amount of information disclosed is the minimum necessary to accomplish the purposes of the disclosure.
- Disclosures of PHI to Business Associates
- PHI may be disclosed to the Plan’s business associates and allow the Plan’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Plan must first obtain assurances from the business associate that it will appropriately safeguard the information.
- Business Associate is an entity that:
- Performs or assists in performing a Plan function or activity involving the use and disclosure of protected health information, including claims processing or administration, data analysis, underwriting, etc.
- Provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.
- PHI may be disclosed to the Plan’s business associates and allow the Plan’s business associates to create or receive PHI on its behalf. However, prior to doing so, the Plan must first obtain assurances from the business associate that it will appropriately safeguard the information.
- Disclosures of De-Identified Information
- The Plan may freely use and disclosure de-identified information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
ADMINISTRATIVE REGULATION:
400.14-5
APPROVED:
6.13.2017
Policies on Individual Rights - 400.14-5
- Access to Protected Health Information and Requests for Amendment
- Participants have the right to access and obtain copies of their PHI that the Plan (or its business associates) maintains in designated record sets. Participants also may request to have their PHI amended. The Plan will provide access to PHI and will consider requests for amendment that are submitted in writing by the participants.
- “Designated Record Set” is a group of records maintained by or for the District that includes:
- The enrollment, payment and claim adjudication record of an individual maintained by or for the Plan; or;
- Other PHI used, in whole or in part, by or for the Plan to make coverage decisions about an individual.
- Accounting: An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last six years, other than disclosures for the following reasons:
- To carry out treatment, payment or health care operations;
- To individuals about their own PHI;
- Incident to an otherwise permitted use or disclosure;
- Pursuant to an authorization;
- For purposes of creation of a facility directory or to persons involved in the patient’s care or other notification purposes;
- As part of a limited data set; or
- For other national security or law enforcement purposes.
- The Plan shall respond to an accounting request within 60 days. If the Plan is unable to provide the accounting within 60 days, it may extend the period 30 days, provided that it gives the participant notice including the reason for the delay and the date the information will be provided.
- The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure, or a copy of the written request for disclosure, if any.
- The first accounting in any 12-month period shall be provided free of charge. Subsequent accountings will be charged a fee for time and material.
- Requests for Alternative Communication Means or Locations
- Participants may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, participants may ask to be called only at work rather than at home. Such requests may be honored if, in the sole discretion of the District, the requests are reasonable. However, the District shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of the information could endanger the participant.
- Requests for Restrictions of Uses and Disclosures of Protected Health Information
- A participant may request restrictions on the use and disclosure of her/her PHI. An attempt to honor the request will be made if the request is reasonable.
Exhibits
None
Forms
None
Document History
Revised – 6.13.2017. Policy—400.14—Protected Health Information Privacy was revised to update privacy notice language as required by HIPAA for issuing a privacy notice to all participants in District Insurance Plan to inform participants the District has access to Protected Health Information (PHI) as part of the District’s Insurance Plan administrative functions. The privacy notice language includes complaint procedures for unauthorized PHI disclosure, contact information, and content and timing of the privacy notice.
Adopted – 7.1.2009.
This online presentation is an electronic representation of the Canyons School District’s currently adopted policy manual. It does not reflect updating activities in progress. The official, authoritative manual is available for inspection in the office of the Superintendent located at 9361 South 300 East Sandy, UT 84070.