- Home
- District Policies
- 4000 Human Resources Policies
- 4258-R Health Insurance Portability and Accountability Act - Privacy
I'm looking for...
4258-R Health Insurance Portability and Accountability Act - Privacy
-
Assigning Privacy and Security ResponsibilitiesThe Human Resource Manager is assigned the responsibility of implementing and maintaining the HIPAA Privacy and Security Rule's requirements. This individual will be designated as the Privacy Officer for Campbell County School District.Uses and Disclosures of Protected Health InformationProtected health information may not be used or disclosed except when at least one of the following conditions is true:
- The individual who is the subject of the information has authorized the use or disclosure.
- The individual who is the subject of the information has received our Notice of Privacy Practices and acknowledged receipt of the Notice, thus allowing the use or disclosure and the use or disclosure is for treatment, payment or health care operations.
- The individual who is the subject of the information agrees or does not object to the disclosure and the disclosure is to persons involved in the health care of the individual.
- The disclosure is to the individual who is the subject of the information or to the Department of Health and Human Services for compliance-related purposes.
- The use of disclosure is for one of the HIPAA "public purposes" (i.e. required by law, etc.).
Deceased IndividualsPrivacy protections extend to information concerning deceased individuals.Notice of Privacy PracticesA notice of privacy practices will be published. This notice and any revisions to it will be provided to all individuals who participate in the Health and Dental Plan, Flex Program and Vision Program.Restriction RequestsSerious consideration must be given to all requests for restriction on uses and disclosures of protected health information. If a particular restriction is agreed to, the District is bound by that restriction.Minimum Necessary Disclosure of Protected Health InformationExcept for disclosures made for treatment purposes, all disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the disclosure.Access to Protected Health InformationAccess to protected health information must be granted to each employee or vendor based on the assigned job functions of the employee or contractor. Such access privileges should not exceed those necessary to accomplish the assigned job function.Access to Protected Health Information by the IndividualAccess to protected health information must be granted to the person who is the subject of such information when such access is requested, or at the very least within the time frames required by the HIPAA Privacy Rule. We will inform the person requesting access, of the location of protected health information if we do not physically possess such PHI but have knowledge of its location.Amendment of Incomplete or Incorrect Protected Health InformationAll requests for amendment of incorrect protected health information maintained by the District will be considered in a timely fashion. If such requests demonstrate that the information is actually incorrect, the District will allow amending language to be added to the appropriate document and this addition will be done in a timely fashion.Access by Personal RepresentativeAccess to protected health information must be granted to personal representatives of individuals as though they were the individuals themselves, except in cases of abuse where granting said access might endanger the individual or someone else. The District will conform to the relevant custody status and the strictures of state, local, case, and other applicable law when disclosing information about minors to their parents.Confidential Communications ChannelsConfidential communications channels will be used, as requested by the individuals, to the extent possible.Disclosure AccountingAn accounting of all disclosures subject to such accounting of protected health information will be given to individuals whenever such an accounting is requested.Judicial and Administrative ProceedingsInformation will be disclosed for the purposes of a judicial or administrative proceeding only when: accompanied by a court or administrative order or grand jury subpoena; when accompanied by a subpoena or discovery request that includes either the authorization of the individual to whom the information applies, documented assurances that good faith effort has been made to adequately notify the individual of the request for their information and there are no outstanding objections by the individual, or a qualified protective order issued by the court. If a subpoena or discovery request is submitted to the District without one of those assurances, the District will seek to notify the individual, obtain their authorization, or obtain a qualified protective order before the District discloses any information. In no case will the District disclose information other than that required by the court order, subpoena, or discovery request.De-Identified Data and Limited Data SetsDe-identified data will be disclosed only if it has been properly de-identified by a qualified statistician or by removing all the relevant identifying data. The Dsitrict will make use of limited data sets, but only after the relevant identifying data has been removed and then only to organizations with whom the District has adequate data use agreements and only for research, public health, or health care operations purposes.AuthorizationsA valid authorization will be obtained for all disclosures that are not for: treatment, payment, health care operations, to the individual or their personal representative, to persons involved with the individuals care, to business associates in their legitimate duties, to facility directories or for public purposes. This authorization will include all the mandatory elements and any authorizations generated from outside the District will be checked to see if they are valid.ComplaintsAll complaints relating to the protection of health information will be investigated and resolved in a timely fashion. Furthermore, all complaints will be addressed to the Privacy Officer, who will be duly authorized to investigate complaints and implement resolutions if the complaint stems from a valid area of non-compliance with the HIPAA Privacy and Security Rule.Prohibited ActivitiesNo employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations. No employee or contractor may condition treatment, payment, enrollment or eligibility for benefits on the provision of an authorization to disclose protected health information.ResponsibilityThe responsibility for designing and implementing procedures to implement this policy lies with the Privacy Officer.Verification of IdentityThe identity of all persons who request access to protected health information will be verified before such access is granted.MitigationThe effects of all persons who request access to protected health information will be mitigated to the extent possible.SafeguardsAppropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. These safeguards will include physical protection of premises and protected health information, technical protection of protected health information maintained electronically and administrative protection. These safeguards will extend to the oral communication of protected health information. These safeguards will extend to protected health information that is removed from the District.Business AssociatesBusiness associates must be contractually bound to protect health information to the same degree as set forth in this regulation. Business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate.Training and AwarenessIt will be the responsibility of the Privacy Officer to ensure that all members of the Human Resources and Payroll workforce have been trained by the compliance date on the policies and procedures governing protected health information and how the District complies with the HIPAA Privacy and Security Rule. New members of the Human Resources and Payroll workforce will receive training on these matters within a reasonable time. The Privacy Officer will provide training should any policy or procedure related to the HIPAA Privacy and Security Rule materially change. This training will be provided within a reasonable time after the policy or procedure materially changes.Retention of RecordsThe HIPAA Privacy Rule records retention requirements of six years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at the District's discretion to meet with other governmental regulations or those requirements imposed by our professional liability carrier.Cooperation with Privacy Oversight AuthoritiesOversight agencies such as the Office for Civil Rights of the Department of Health and Human Services will be given full support and cooperation in their efforts to ensure the protection of health information within the District. All personnel must cooperate fully with all privacy compliance reviews and investigations.ADOPTION DATE: April 8, 2003; Reviewed March 27, 2007; Revised April 11, 2023LEGAL REFERENCE(S):CROSS REFERENCE(S): 4258ADMINISTRATIVE REGULATION: