Loading...
Item 9A PolicyCity of Southlake Personnel Policies Section Rules and Regulations Tonic Health Insurance Portability and Accountability Act ( HIPAA) Privacy Policy Effective Date April 14, 2004 Approved By : Resolution No. 04 -020 Revision Date HIPAA Privacy Policy 1.0 Purpose The Health Insurance Portability and Accountability Act ( HIPAA) was enacted in 1996. The U.S. Department of Health and Human Services ( "HHS ") issued the Standards for Privacy of Individually Identifiable Health Information ( " Privacy Rule ") to implement the Administrative Simplification provisions of HIPAA. The Administrative Simplification provisions required the HHS to adopt national standards for electronic health care transactions. The Privacy Rule was implemented on April 14, 2001 to set national standards for the protection of protected health information ( "PHI "). It is the policy of the City to limit the use or disclosure of protected health information (1) only as permitted or required by the Privacy Rule, as described in the Notice of Privacy Practices; or (2) as authorized in writing by the individual who is the subject of the information. 2.0 Applicability This policy applies only to those administrative functions by the City associated with health, dental, vision, prescription drug, and flexible spending account benefits provided by the City of Southlake. This policy does not apply to the responsibilities of the carriers that provide the City's health, dental, vision, prescription drug, and flexible spending benefit plans to comply with the Privacy Rule. Further, this policy does not apply to individually identifiable health information that is maintained by the City in its role as employer. For example, this policy does not apply to information learned during pre- employment or drug testing, in processing workers compensation, or in complying with the Family Medical Leave Act. As such, the City is considered a "hybrid entity" under the provisions of the Privacy Rule, and this policy shall apply only to the health care components previously described. HIPAA Privacy Policy Effective: April 14, 2004 Page 2 of 11 3.0 Definitions 3.1. Disclosure — the release, transfer, provision of access to, or divulging of information outside the entity holding the information. 3.2. Individually Identifiable Health Information — information, including demographic data, that relates to: • an individual's past, present, or future physical or mental health or condition; • the provision of health care to the individual, or • the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is reasonable basis to believe can be used to identify the individual. 3.3. Protected Health Information (PHI) — individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. 3.4. Use — the sharing, employment, application, utilization, examination, or analysis of individually identifiable health information within an entity. 3.5. Workforce Members — employees, volunteers, trainees, and other persons whose conduct is under the direct control of the City. 4.0 Privacy Officer 4.1. The Director of Human Resources is designated as the City's Privacy Officer for the City's Plan. 4.2. Responsibilities of the Privacy Officer include, but are not limited to: a. developing and implementing privacy policies and procedures; b. distributing and posting the City's Notice of Privacy Practices; C. receiving, processing, and documenting complaints applicable to this policy; d. providing individuals with information on privacy practices; and e. ensuring that City employees are trained on the privacy policies and procedures as necessary to perform the functions of their job. D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011 HIPAA Privacy Policy Effective: April 14, 2004 Page 3 of 11 5.0 Required and Permitted Uses and Disclosures 5.1. The Privacy Rule requires the disclosure of protected health information without an individual's authorization for certain purposes or situations defined by law. The Privacy Rule also ep rmits the use and disclosure of protected health information without an individual's authorization under certain circumstances. 5.2. The City may release protected health information for the purposes outlined in the City's Notice of Privacy Practices which may be obtained from the City's Privacy Officer. 6.0 Safeguards 6.1. The City will maintain reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. These safeguards reasonably prevent the intentional or unintentional use or disclosure of protected health information and limit incidental use and disclosure of protected health information. Examples of safeguards include, but are not limited to the following: a. shredding documents that might include protected health information before discarding them; b. securing medical files that contain protected health information in a locked file cabinet; and C. limiting access to protected health information to authorized personnel only and revoking such access upon transfer or termination of employment. 6.2. Access to protected health information is limited to employees in the Human Resources department trained in the requirements of the HIPAA Privacy Rule, or to those who have a legal right to protected health information as described in the Notice of Privacy Practices. 6.3. Protected health information shall be maintained in the employee's medical file in a locked file cabinet in the Human Resources File Room. 6.4. Protected health information that is used or disclosed should only be the minimum amount necessary to accomplish the intended purpose of the use, disclosure or request. D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011 HIPAA Privacy Policy Effective: April 14, 2004 Page 4 of 11 7.0 Authorizations 7.1. Employees contacting the Human Resources department regarding a claim for health care expenses or other issues with the City's health care carrier, must complete and sign the Authorization to Use and Disclose Protected Health Information form (or similar form provided by the carrier) before Human Resources can offer any assistance. 7.2. Employees have the right to access their own protected health information, request an amendment to their own protected health information, and request an accounting regarding any disclosures that have been made by the City to third parties. 8.0 HIPAA's Effect on other Health Care Information Neither HIPAA nor this policy protect individually identifiable health care information required for life insurance, disability insurance, workers' compensation, or employment records (e.g. records of absences or tardiness for health reasons, pre- employment medical records, Family Medical Leave Act (FMLA) records, Americans with Disabilities Act (ADA) records, etc.) kept by the City in its capacity as an employer. 9.0 Documentation and Record Retention 9.1. The City will retain documentation as required by the Privacy Rule for six (6) years from the effective date of this policy or six (6) years from the date of creation, whichever is later. 9.2. Documentation that must be retained include: a. privacy polices and procedures; b. privacy notices; C. disposition of complaints; and d. other actions, activities, and designations that the Privacy Rule requires to be documented. 9.3. These records shall be maintained by the Privacy Officer in the Human Resources Department, as specified in Section 6.3. 10.0 Waivers The City will not require an individual to waive his or her right under the Privacy Rule as a condition for obtaining treatment, payment, enrollment, or benefits eligibility. D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011 HIPAA Privacy Policy Effective: April 14, 2004 Page 5 of 11 11.0 Complaints 11.1. Complaints regarding violations of this policy or violations of the Notice of Privacy Practices shall be submitted in writing to the Privacy Officer within five (5) business days of the suspected violation or from the time the employee first became aware of its occurrence. a. In the event that the complaint of violation is against the Privacy Officer, the written complaint may be presented directly to the City Manager, whc will designate someone to investigate the complaint. All other provisions of this section then apply. 11.2. The written complaint shall include the following information: a. the nature of the violation; b. the date of the violation; C. the identity of the employee who claims to be harmed; d. the identity of the party or parties alleged to have caused the violation; and e. the remedy which is sought. 11.3. Within ten (10) business days of receipt of the written complaint the Privacy Officer shall meet with the complainant to discuss the matter. 11.4. A decision by the Privacy Officer, whether reached during this discussion or afterward, shall be presented in writing to the employee within ten (10) business days after the meeting. 11.5. If the decision made by the Privacy Officer is unsatisfactory to the complainant, he or she may file an appeal within five (5) business days to the City Manager. a. Within ten (10) business days of receipt of the appeal, the City Manager shall notify the complainant in writing of the decision to hear the appeal. b. Should the City Manager decide not to hear the appeal, the decision of the Privacy Officer shall be final. Should the City Manager agree to hear the appeal, the City Manager will meet with the complainant to discuss the complaint. C. The decision of the City Manager shall be presented in writing to the complainant within in ten (10) business days of the meeting. The decision by the City Manager shall be final. 11.6. All timeframes maybe extended with the City Manager's approval. D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011 HIPAA Privacy Policy Effective: April 14, 2004 Page 6 of 11 11.7. Complaints may also be filed with the U.S. Department of Health and Human Services, Office for Civil Rights: 1301 Young Street, Suite 1169 Dallas, Texas 75202 Telephone: 214 - 767 -4056 TDD: 214 - 767 -8940 Internet: http://www.hhs.gov/ocr/privacy/howtofile.htm /ocr/privacy /howtofile.htm 12.0 Mitigation The City shall mitigate, to the extent possible, any harmful effect it learns was caused by the use or disclosure of protected health information by its workforce or business associates in violation of its privacy policy, procedures, or the Privacy Rule. 13.0 Anti - Retaliation 13.1. The City will not intimidate, threaten, coerce, discriminate against or take other retaliatory action against: a. any individual for the exercise of any right under, or for participation by the individual in any process provided for by HIPAA. b. any individual for: i. Filing a complaint with the Secretary of the Department of Health and Human Services; ii. Testifying, assisting, or participating in an investigation, compliance review processing, or other hearing; iii. Opposing any act or practice made unlawful by HIPAA, provided the individual has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of HIPAA. 13.2. Any individual who believes he or she has been retaliated against in violation of this policy should immediately contact the Director of Human Resources at (817) 481 -1952 or the City Manager at (817) 481 -1420. Such complaints will be immediately investigated. A complaint may also be filed with the U. S. Department of Health and Human Services, Office for Civil Rights: 1301 Young Street Suite 1169 Dallas, Texas 75202 Telephone: 214 - 767 -4056, TDD: 214 - 767 -8940 Internet: http://www.hhs.gov/ocr/privacyhowtofile.htm /ocr/privacyhowtofile.htm D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011 HIPAA Privacy Policy Effective: April 14, 2004 Page 7 of 11 14.0 Policy Violations Violations of this policy will result in disciplinary action up to and including termination. Violation may also result in civil or criminal penalties. D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011 HIPAA Privacy Policy Effective: April 14, 2004 Page 8 of 11 City of Southlake Authorization for Use and Disclosure of Protected Health Information This form will allow the City of Southlake to release and receive confidential health information about the individual identified below. This authorization is voluntary. If you do not fill out this form completely, the City may not be able to process your request. Carrier specific forms may be used in lieu of this form when necessary. 1. Individual Information Name Social Security Number: Street Address: Daytime Telephone Number: Date of Birth: City, State and Zip Code: 2. I authorize the individual(s) or company(ies) identified below to receive confidential health information pertaining to the individual named above. ❑ City of Southlake — Human Resources Department Daytime Telephone Number: 817 - 481 -1990 Street Address: 1400 Main Street, Suite 260 City, State and Zip Code: Southlake, TX 76092 ❑ Spouse/Family Member: Street Address: ❑ Other Individual or Company: Street Address: Daytime Telephone Number: City, State and Zip Code: Daytime Telephone Number: City, State and Zip Code: 3. Purpose(s) for this Authorization ❑ To respond to all requests for confidential health information made by the individual(s) or company(ies) named above. ❑ To respond to requests for only the following specific information (for example, disclosures about claims submitted by a specific provider). (Expires one (1) year from date of authorization, unless otherwise noted.) Expiration: D: \Human Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011 HIPAA Privacy Policy Effective: April 14, 2004 Paae 9 of 11 1 4. Description of the information to be released: ❑ Application or enrollment information ❑ Claim records ❑ Claim status ❑ Patient management records ❑ Other: 5. Important: Your signature below means that you understand and agree to the following: • Information disclosed under this authorization may be re- disclosed by the recipient and is no longer protected by federal privacy regulations. • Your ability to enroll in a City medical, dental, or flexible spending account, your eligibility for benefits and payment for services will not be affected if you do not sign this form. (However, without your signature, your request to release the information described above will not be honored). • You may request a copy of this form from the City's Privacy Officer at the address listed below. • Unless otherwise noted, this authorization will expire one (1) year from the date you sign this authorization. If you sign this form, you make revoke the authorization at any time by notifying the City in writing at the address below. Revoking this authorization will not have any effect on actions that the City took in reliance on the authorization before we received this notification. 6. Signature of Individual or Individual's Legal Representative Signature: Date: Print Name: If the person signing this authorization is not the individual listed in Section 1, please describe the relationship to the individual: ❑ Natural or Adoptive Parent of a Minor Child ❑ Legal Representative (i.e., someone with legal authority to act on the individual's behalf). If this authorization is being signed by an individual's legal representative (other than a parent of a minor child), you must furnish a copy of the health care power of attorney, or other relevant document authorizing you to act on the individuals behalf. 7. Return this Completed Form to: Privacy Officer/Director of Human Resources City of Southlake 1400 Main Street, Suite 260 Southlake, TX 76092 Phone: (817) 481 -1952 Fax: (817) 481 -1998 DAHuman Resources\Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011 HIPAA Privacy Policy Effective: April 14, 2004 Page 10 of 11 City of Southlake Uses and Disclosures of Protected Health Information 1. Individual Information Name Daytime Telephone Number: 2. The following confidential health information was released by the City relating to the attached Authorization for Use and Disclosure of Protected Health Information. Date: I Individual /Comnanv: I Information Released: WHuman Resources\Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011 HIPAA Privacy Policy Effective: April 14, 2004 Page 11 of 11 DAHuman Resources \Item 9A -HIPAA Privacy Policy FINAL.docl /20/2011