Number:

826

Section:

Operations

Title:

HIPAA

Date Adopted:

October 26, 2004

Date Reviewed:

 

 

 

Purpose
The School District is committed to protecting medical information about employees and others. The District, the administration, and its agents will only use protected health information (PHI) to the extent of and in accordance with the uses and disclosures permitted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other federal state laws. To ensure that the integrity and the confidentiality of PHI are safeguarded to the highest degree possible, the School Board advises and directs the following.

Definition
A. Business Associate: A business associate is a person or entity that provides certain functions, activities, or services for, or to the school district, involving the use and/or disclosure of PHI.

B. Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA is a federal law that requires reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of healthcare information; to protect against reasonably foreseeable threats and hazards to the security or integrity of the information; and, to protect against unauthorized uses or disclosure of the information.

C. Minimum Necessary Standard: The organization will make all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure.

D. Protected Health Information (PHI): Individually identifiable health information that is transmitted by electronic media; maintained in any electronic medium such as magnetic tape, disc, or optical file; or transmitted or maintained in any other form or medium, i.e., paper, voice, internet, fax.

Consent for the Use of PHI:
The School District, the administration, and its agents will not use or disclose an employee’s PHI for any purpose without the properly documented consent or authorization of the employee or his/her authorized representative unless permitted or required to do so by federal and or state law or regulation; unless an emergency exists; or, unless the information has been sufficiently de-identified that the recipient would be unable to link the information to the employee. The School District, the administration, and its agents may use and disclose PHI without the consent or authorization of the employee for the following:

  1. as required by law;
  2. for public health activities;
  3. about victims of abuse, neglect or domestic violence;
  4. to health oversight agencies for health oversight activities;
  5. for judicial and administrative proceedings;
  6. for law enforcement purposes;
  7. regarding decedents, to coroners, medical examiners and funeral directors;
  8. for research if a waiver of authorization has been obtained by the Institutional Review Board (“IRB”) or a Privacy Board;
  9. to prevent serious and imminent harm to health or safety of a person or the public;
  10. for specialized government functions;
  11. military and veterans activities;
  12. national security and intelligence;
  13. protective services for the President and others;
  14. to the Department of State to make medical suitability determinations;
  15. to correctional institutions and law enforcement officials regarding an inmate; and
  16. worker’s compensation if necessary to comply with the laws relating to worker’s compensation or other similar programs.

Permitted Uses of PHI
The District, the administration, and its agents may use PHI to the extent of and in accordance with the uses and disclosures permitted by HIPAA and other federal and state laws. Specifically, the District, the administration, and its agents may use and disclose PHI for purposes related to health care treatment, payment for health care, and health care operations.

A. Payment: includes activities undertaken by the District and its agents to obtain premiums or determine or fulfill its responsibility of coverage and provision of health care plan benefits that relate to an individual to whom health care is provided. These activities include, but are not limited to, the following:

  1. determination of eligibility, coverage and cost sharing amounts (for example, cost of a benefit, plan maximums and co-payments as determined for an individual’s claim);
  2. coordination of benefits;
  3. adjudication of health benefit claims (including appeals and other payment disputes);
  4. subrogation of health benefit claims;
  5. establishing employee contributions;
  6. risk adjusting amounts due based on enrollee health status and demographic characteristics;
  7. billing, collection activities and related health care data processing;
  8. claims management and related health care data processing, including auditing payments, investigating and resolving payment disputes and responding to participant inquires about payments;
  9. obtaining payment under a contract for reinsurance (including stop-loss and excess of loss insurance);
  10. medical necessity reviews or reviews of appropriateness of care or justification of charges;
  11. utilization review, including pre-certification, pre-authorization, concurrent review and retrospective review;
  12. disclosure to consumer reporting agencies related to the collection of premiums or reimbursement (the following PHI may be disclosed for payment purposes: name and address, date of birth, Social Security number, payment history, account number and name and address of the provider and/or health plan); and,
  13. reimbursement to the plan.

Health Care Operations include, but are not limited to, the following activities:

  1. quality assessment;
  2. population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, disease management, contacting health care providers and patients with information about treatment alternatives and related functions;
  3. rating provider and plan performance, including accreditation, certification, licensing or credentialing activities;
  4. underwriting premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to health care claims (including stop-loss insurance and excess of lass insurance);
  5. conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;
  6. business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the plan, including formulary development and administration, development or improvement of payment methods or coverage policies;
  7. business management and general administrative activities of the District’s health care plans, including, but not limited to:
  8. management activities relating to the implementation of and compliance with HIPAA’s administrative simplification requirements, or
        b. customer service, including the provision of data and analyses for policyholders, plan sponsors or other customers;
  9. resolution of internal grievances.


Protecting and Safeguarding PHI
The administration shall implement reasonable administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure that is a violation of HIPAA regulations. Additionally, the administration and agents shall take reasonable steps to limit the use and/or disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose.

The administration also shall establish and maintain procedures to receive and address employee requests regarding PHI and complaints of unauthorized uses and/or disclosures. The administration will keep documentation regarding all requests and complaints.


Notice of Privacy Practices
The administration shall publish and distribute a Notice of Privacy Practices that informs employees and others in plain language about the uses and disclosures of PHI the organization will make; employees’ rights concerning uses and disclosures; and, limitations on the School District in that it cannot use or disclose information in a manner not covered in the Notice.

Employees’ Rights Regarding PHI
Employees have the following rights regarding their own protected health information:

A. access to their records subject to reasonable limitations related to the business processes of the School District unless, in the opinion of an appropriate medical professions, such access would be detrimental to the employee;
B. to request amendment to the records to correct alleged inaccuracies. Such amendments shall be subject to law, professional ethics, and professional judgment and standards;
C. to request restrictions on the uses and disclosures of PHI; and
D. to request and receive an accounting of disclosures of PHI for uses other than treatment, payment, and healthcare operations.

Contractual Assurances Protecting PHI
The administration will establish contractual assurances from all business associates to which PHI is disclosed to the effect that the information will be used only for the purposes for which they were engaged, will safeguard the information from misuse, and will help the School District comply with its duties to provide employees with access to health information about them and a history of certain disclosures.

HIPAA Training
The administration shall provide adequate training and timely updates related to the policies and procedures for compliance with the HIPPP privacy standards for all current employees, new hires, agents and business associates handling PHI. Training content and participation will be documented and retained by the Privacy Officer.

Documentation
All HIPAA related documentation and records will be kept in written and/or electronic form for a period of six (6) years from the date of creation or from the date when it last was in effect, whichever is later.

Violations of HIPAA and This Policy
The administration, employees, and agents of the School District shall comply with the standards set forth in this policy. Violation of this policy and unauthorized uses and/or disclosures of protected health information are very serious offenses. Not only is violation of this policy grounds for disciplinary action, up to and including termination of employment, but violations related to unauthorized use and disclosure of protected health information may be subject to civil and criminal penalties including significant monetary costs and incarceration.