Item 9A PolicyCity of Southlake
Personnel Policies
Section Rules and Regulations
Tonic Health Insurance Portability
and Accountability Act
( HIPAA) Privacy Policy
Effective Date April 14, 2004
Approved By : Resolution No. 04 -020
Revision Date
HIPAA Privacy Policy
1.0 Purpose
The Health Insurance Portability and Accountability Act ( HIPAA) was enacted in 1996.
The U.S. Department of Health and Human Services ( "HHS ") issued the Standards for
Privacy of Individually Identifiable Health Information ( " Privacy Rule ") to implement
the Administrative Simplification provisions of HIPAA. The Administrative
Simplification provisions required the HHS to adopt national standards for electronic
health care transactions. The Privacy Rule was implemented on April 14, 2001 to set
national standards for the protection of protected health information ( "PHI ").
It is the policy of the City to limit the use or disclosure of protected health information
(1) only as permitted or required by the Privacy Rule, as described in the Notice of
Privacy Practices; or (2) as authorized in writing by the individual who is the subject of
the information.
2.0 Applicability
This policy applies only to those administrative functions by the City associated with
health, dental, vision, prescription drug, and flexible spending account benefits provided
by the City of Southlake. This policy does not apply to the responsibilities of the carriers
that provide the City's health, dental, vision, prescription drug, and flexible spending
benefit plans to comply with the Privacy Rule. Further, this policy does not apply to
individually identifiable health information that is maintained by the City in its role as
employer. For example, this policy does not apply to information learned during pre-
employment or drug testing, in processing workers compensation, or in complying with
the Family Medical Leave Act. As such, the City is considered a "hybrid entity" under
the provisions of the Privacy Rule, and this policy shall apply only to the health care
components previously described.
HIPAA Privacy Policy
Effective: April 14, 2004
Page 2 of 11
3.0 Definitions
3.1. Disclosure — the release, transfer, provision of access to, or divulging of
information outside the entity holding the information.
3.2. Individually Identifiable Health Information — information, including
demographic data, that relates to:
• an individual's past, present, or future physical or mental health or condition;
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the
individual;
and that identifies the individual or for which there is reasonable basis to believe
can be used to identify the individual.
3.3. Protected Health Information (PHI) — individually identifiable health information
held or transmitted by a covered entity or its business associate, in any form or
media, whether electronic, paper, or oral.
3.4. Use — the sharing, employment, application, utilization, examination, or analysis
of individually identifiable health information within an entity.
3.5. Workforce Members — employees, volunteers, trainees, and other persons whose
conduct is under the direct control of the City.
4.0 Privacy Officer
4.1. The Director of Human Resources is designated as the City's Privacy Officer for
the City's Plan.
4.2. Responsibilities of the Privacy Officer include, but are not limited to:
a. developing and implementing privacy policies and procedures;
b. distributing and posting the City's Notice of Privacy Practices;
C. receiving, processing, and documenting complaints applicable to this
policy;
d. providing individuals with information on privacy practices; and
e. ensuring that City employees are trained on the privacy policies and
procedures as necessary to perform the functions of their job.
D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011
HIPAA Privacy Policy
Effective: April 14, 2004
Page 3 of 11
5.0 Required and Permitted Uses and Disclosures
5.1. The Privacy Rule requires the disclosure of protected health information without
an individual's authorization for certain purposes or situations defined by law.
The Privacy Rule also ep rmits the use and disclosure of protected health
information without an individual's authorization under certain circumstances.
5.2. The City may release protected health information for the purposes outlined in the
City's Notice of Privacy Practices which may be obtained from the City's Privacy
Officer.
6.0 Safeguards
6.1. The City will maintain reasonable and appropriate administrative, technical, and
physical safeguards to protect the privacy of protected health information. These
safeguards reasonably prevent the intentional or unintentional use or disclosure of
protected health information and limit incidental use and disclosure of protected
health information. Examples of safeguards include, but are not limited to the
following:
a. shredding documents that might include protected health information
before discarding them;
b. securing medical files that contain protected health information in a locked
file cabinet; and
C. limiting access to protected health information to authorized personnel
only and revoking such access upon transfer or termination of
employment.
6.2. Access to protected health information is limited to employees in the Human
Resources department trained in the requirements of the HIPAA Privacy Rule, or
to those who have a legal right to protected health information as described in the
Notice of Privacy Practices.
6.3. Protected health information shall be maintained in the employee's medical file in
a locked file cabinet in the Human Resources File Room.
6.4. Protected health information that is used or disclosed should only be the minimum
amount necessary to accomplish the intended purpose of the use, disclosure or
request.
D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011
HIPAA Privacy Policy
Effective: April 14, 2004
Page 4 of 11
7.0 Authorizations
7.1. Employees contacting the Human Resources department regarding a claim for
health care expenses or other issues with the City's health care carrier, must
complete and sign the Authorization to Use and Disclose Protected Health
Information form (or similar form provided by the carrier) before Human
Resources can offer any assistance.
7.2. Employees have the right to access their own protected health information,
request an amendment to their own protected health information, and request an
accounting regarding any disclosures that have been made by the City to third
parties.
8.0 HIPAA's Effect on other Health Care Information
Neither HIPAA nor this policy protect individually identifiable health care information
required for life insurance, disability insurance, workers' compensation, or employment
records (e.g. records of absences or tardiness for health reasons, pre- employment medical
records, Family Medical Leave Act (FMLA) records, Americans with Disabilities Act
(ADA) records, etc.) kept by the City in its capacity as an employer.
9.0 Documentation and Record Retention
9.1. The City will retain documentation as required by the Privacy Rule for six (6)
years from the effective date of this policy or six (6) years from the date of
creation, whichever is later.
9.2. Documentation that must be retained include:
a. privacy polices and procedures;
b. privacy notices;
C. disposition of complaints; and
d. other actions, activities, and designations that the Privacy Rule requires to
be documented.
9.3. These records shall be maintained by the Privacy Officer in the Human Resources
Department, as specified in Section 6.3.
10.0 Waivers
The City will not require an individual to waive his or her right under the Privacy Rule as
a condition for obtaining treatment, payment, enrollment, or benefits eligibility.
D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011
HIPAA Privacy Policy
Effective: April 14, 2004
Page 5 of 11
11.0 Complaints
11.1. Complaints regarding violations of this policy or violations of the Notice of
Privacy Practices shall be submitted in writing to the Privacy Officer within five
(5) business days of the suspected violation or from the time the employee first
became aware of its occurrence.
a. In the event that the complaint of violation is against the Privacy Officer,
the written complaint may be presented directly to the City Manager, whc
will designate someone to investigate the complaint. All other provisions
of this section then apply.
11.2. The written complaint shall include the following information:
a. the nature of the violation;
b. the date of the violation;
C. the identity of the employee who claims to be harmed;
d. the identity of the party or parties alleged to have caused the violation; and
e. the remedy which is sought.
11.3. Within ten (10) business days of receipt of the written complaint the Privacy
Officer shall meet with the complainant to discuss the matter.
11.4. A decision by the Privacy Officer, whether reached during this discussion or
afterward, shall be presented in writing to the employee within ten (10) business
days after the meeting.
11.5. If the decision made by the Privacy Officer is unsatisfactory to the complainant,
he or she may file an appeal within five (5) business days to the City Manager.
a. Within ten (10) business days of receipt of the appeal, the City Manager
shall notify the complainant in writing of the decision to hear the appeal.
b. Should the City Manager decide not to hear the appeal, the decision of the
Privacy Officer shall be final. Should the City Manager agree to hear the
appeal, the City Manager will meet with the complainant to discuss the
complaint.
C. The decision of the City Manager shall be presented in writing to the
complainant within in ten (10) business days of the meeting. The decision
by the City Manager shall be final.
11.6. All timeframes maybe extended with the City Manager's approval.
D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011
HIPAA Privacy Policy
Effective: April 14, 2004
Page 6 of 11
11.7. Complaints may also be filed with the U.S. Department of Health and Human
Services, Office for Civil Rights:
1301 Young Street, Suite 1169
Dallas, Texas 75202
Telephone: 214 - 767 -4056
TDD: 214 - 767 -8940
Internet: http://www.hhs.gov/ocr/privacy/howtofile.htm
/ocr/privacy /howtofile.htm
12.0 Mitigation
The City shall mitigate, to the extent possible, any harmful effect it learns was caused by
the use or disclosure of protected health information by its workforce or business
associates in violation of its privacy policy, procedures, or the Privacy Rule.
13.0 Anti - Retaliation
13.1. The City will not intimidate, threaten, coerce, discriminate against or take other
retaliatory action against:
a. any individual for the exercise of any right under, or for participation by
the individual in any process provided for by HIPAA.
b. any individual for:
i. Filing a complaint with the Secretary of the Department of Health
and Human Services;
ii. Testifying, assisting, or participating in an investigation,
compliance review processing, or other hearing;
iii. Opposing any act or practice made unlawful by HIPAA, provided
the individual has a good faith belief that the practice opposed is
unlawful, and the manner of the opposition is reasonable and does
not involve a disclosure of protected health information in violation
of HIPAA.
13.2. Any individual who believes he or she has been retaliated against in violation of
this policy should immediately contact the Director of Human Resources at (817)
481 -1952 or the City Manager at (817) 481 -1420. Such complaints will be
immediately investigated. A complaint may also be filed with the U. S.
Department of Health and Human Services, Office for Civil Rights:
1301 Young Street Suite 1169
Dallas, Texas 75202
Telephone: 214 - 767 -4056,
TDD: 214 - 767 -8940
Internet: http://www.hhs.gov/ocr/privacyhowtofile.htm
/ocr/privacyhowtofile.htm
D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011
HIPAA Privacy Policy
Effective: April 14, 2004
Page 7 of 11
14.0 Policy Violations
Violations of this policy will result in disciplinary action up to and including termination.
Violation may also result in civil or criminal penalties.
D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011
HIPAA Privacy Policy
Effective: April 14, 2004
Page 8 of 11
City of Southlake
Authorization for Use and Disclosure of Protected Health Information
This form will allow the City of Southlake to release and receive confidential health information about the
individual identified below. This authorization is voluntary. If you do not fill out this form completely, the
City may not be able to process your request. Carrier specific forms may be used in lieu of this form when
necessary.
1. Individual Information
Name
Social Security Number:
Street Address:
Daytime Telephone Number:
Date of Birth:
City, State and Zip Code:
2. I authorize the individual(s) or company(ies) identified below to receive confidential health information
pertaining to the individual named above.
❑ City of Southlake — Human Resources Department Daytime Telephone Number: 817 - 481 -1990
Street Address: 1400 Main Street, Suite 260 City, State and Zip Code: Southlake, TX 76092
❑ Spouse/Family Member:
Street Address:
❑ Other Individual or Company:
Street Address:
Daytime Telephone Number:
City, State and Zip Code:
Daytime Telephone Number:
City, State and Zip Code:
3. Purpose(s) for this Authorization
❑ To respond to all requests for confidential health information made by the individual(s) or company(ies)
named above.
❑ To respond to requests for only the following specific information (for example, disclosures about claims
submitted by a specific provider).
(Expires one (1) year from date of authorization, unless otherwise noted.) Expiration:
D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011
HIPAA Privacy Policy
Effective: April 14, 2004
Paae 9 of 11
1 4. Description of the information to be released:
❑ Application or enrollment information ❑ Claim records
❑ Claim status
❑ Patient management records
❑ Other:
5. Important: Your signature below means that you understand and agree to the following:
• Information disclosed under this authorization may be re- disclosed by the recipient and is no longer
protected by federal privacy regulations.
• Your ability to enroll in a City medical, dental, or flexible spending account, your eligibility for benefits
and payment for services will not be affected if you do not sign this form. (However, without your
signature, your request to release the information described above will not be honored).
• You may request a copy of this form from the City's Privacy Officer at the address listed below.
• Unless otherwise noted, this authorization will expire one (1) year from the date you sign this
authorization. If you sign this form, you make revoke the authorization at any time by notifying the City
in writing at the address below. Revoking this authorization will not have any effect on actions that the
City took in reliance on the authorization before we received this notification.
6. Signature of Individual or Individual's Legal Representative
Signature: Date:
Print Name:
If the person signing this authorization is not the individual listed in Section 1, please describe the relationship
to the individual:
❑ Natural or Adoptive Parent of a Minor Child
❑ Legal Representative (i.e., someone with legal authority to act on the individual's behalf).
If this authorization is being signed by an individual's legal representative (other than a parent of a minor
child), you must furnish a copy of the health care power of attorney, or other relevant document authorizing
you to act on the individuals behalf.
7. Return this Completed Form to:
Privacy Officer/Director of Human Resources
City of Southlake
1400 Main Street, Suite 260
Southlake, TX 76092
Phone: (817) 481 -1952
Fax: (817) 481 -1998
DAHuman Resources\Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011
HIPAA Privacy Policy
Effective: April 14, 2004
Page 10 of 11
City of Southlake
Uses and Disclosures of Protected Health Information
1. Individual Information
Name
Daytime Telephone Number:
2. The following confidential health information was released by the City relating to the attached
Authorization for Use and Disclosure of Protected Health Information.
Date: I Individual /Comnanv: I Information Released:
WHuman Resources\Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011
HIPAA Privacy Policy
Effective: April 14, 2004
Page 11 of 11
DAHuman Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011