Standard
Procedure 130
Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”) Compliance
Procedures
Effective:
Supersedes: N/A
Prepared
by: Dale Johnson, Employee Benefits
Manager
Approved
by: William B. Coleman, Jr., Town Manager
|
SECTION |
TITLE |
PAGE |
|
I |
Definitions |
2 |
|
II |
Reserved. |
5 |
|
III |
An Individual’s Right to
Complain About HIPAA Violations to the Secretary of Health and Human Services |
5 |
|
IV |
Responsibilities of the
Plan in Respect to the Secretary of Health and Human Services |
6 |
|
V |
Responsibilities of the
Plan in Respect to the Secretary of Health and Human Services |
6 |
|
VI |
Contracts between the Plan
and Business Associates |
10 |
|
VII |
Circumstances Under Which
the Plan Can Disclose PHI to the Plan Sponsor |
12 |
|
VIII |
The Plan’s Use and
Disclosure of PHI to Carry Out Treatment, Payment, or Health Care Operations |
14 |
|
IX |
Use and Disclosure of PHI
Pursuant to an Authorization, and Describing the Elements of a Valid
Authorization |
16 |
|
X |
Use
and disclosure of PHI in Situations Where the Individual Has An Opportunity
to Agree or Object, or in the Case of an Emergency |
18 |
|
XI |
Use and Disclosure of PHI
When an Authorization or |
19 |
|
XII |
Additional Requirements
Governing Uses and Disclosures of PHI |
28 |
|
XIII |
Except as Noted in This
Section, The Plan Will Ensure That Individuals Receive Adequate Notice of (1)
The Uses and Disclosures Which the Plan May Make with Respect to PHI; (2) The
Individual’s Rights with Respect to PHI; and (3) The Plan’s Legal Duties with
Respect to PHI |
34 |
|
XIV |
The Right of an Individual
to Request Restrictions on the Plan’s Use and Disclosure of PHI |
37 |
|
XV |
Individual’s Right to
Access PHI for Inspection and Copying |
38 |
|
XVI |
Individual’s Right to
Require the Plan to Amend PHI in a Designated Record Set |
40 |
|
XVII |
Individual’s Right to an
Accounting of Certain Disclosures of His or Her PHI |
42 |
|
XVIII |
Rules and Procedures Which
the Plan Maintains to Meet HIPAA Administrative Requirements |
44 |
|
XIX |
Transitional Rules
Governing Uses and Disclosures of PHI Created or Received Before |
48 |
PURPOSE:
These
procedures have been put in order that the employee medical and dental plans,
collectively known as the Health Manage
Questions about these procedures should be addressed to Town of
PROCEDURES:
I. DEFINITIONS
1.
Authorization. A document signed by an individual
authorizing disclosure of Protected Health Information and complying with the
requirements of Section IX.
2.
Business
Associate. The term “Business Associate” means a person
or entity who:
a. on behalf of the Plan (or an Organized
Health Care Arrangement in which the Plan participates), performs, or assists
in performing:
(i) a function or activity involving the use
or disclosure of Individually Identifiable Health Information, including claims
processing or administration, data analysis, processing or administration,
utilization review, quality assurance, billing, benefit management, practice
management or repricing; or
(ii) any
other function or activity regulated by the Privacy Rules; or
b. provides
legal, actuarial, accounting, consulting, Data Aggregation, management,
administrative, accreditation, or financial services for the Plan (or for an
Organized Health Care Arrangement in which the Plan participates), where
providing these services involves the disclosure of Individually Identifiable
Health Information from the Plan or Arrangement, or from another Business
Associate of the Plan or Arrangement, to the person.
A
member of the Plan’s Workforce, or of the Organized Health Care Arrangement’s
Workforce, is not a Business Associate.
In addition, a Covered Entity which participates in an Organized Health
Care Arrangement and that performs a function, activity or service for the
Arrangement as described above, does not through these roles become a Business
Associate of the other Covered Entities participating in the Arrangement. Finally, a Covered Entity may be a Business
Associate of another Covered Entity.
3.
Covered Entity. The term
“Covered Entity” means a health plan, a health care clearing house, or a Health
Care Provider who transmits Health Information in electronic form in connection
with a transaction covered by HIPAA Privacy Rules.
4.
Data
Aggregation. The term “Data Aggregation” means the
activity of a Business Associate of the Plan when it combines PHI from the Plan
with PHI from another Covered Entity, to permit data analysis that relates to
Health Care Operations of the Plan or other Covered Entity.
5.
De-Identified
Information. The term “De-Identified Information” is
defined at Part B of Section XII.
6.
Designated
Record Set. The term “Designated Record Set” means a
group of records maintained by or for the Plan, consisting of:
a. medical
and billing records about Individuals maintained by or for a covered Health
Care Provider;
b. the
enrollment, payment, claims adjudication, and case or medical management record
systems maintained by or for a health plan; or
c. the
group of records maintained by or for the Plan which is used in whole or part
to make decisions about Individuals.
For
purposes of this definition, the term “record” means any item, collection or
grouping of information that includes PHI, and that is maintained, collected,
used or disseminated by or for a Covered Entity.
7.
Effective Date. The term
“Effective Date” means the date these procedures are first effective. The Effective Date is generally defined
throughout this procedure as
8.
Health Care. The term
“Health Care” means care, services or supplies related to the health of an
individual. “Health Care” includes, but
is not limited to:
a. preventative, diagnostic, therapeutic,
rehabilitative, maintenance, palliative care, counseling, service, assessment
or procedure with respect to the physical or mental condition, or functional
status, of an Individual, or that affects the structure or function of the
body; and
b. sale or dispensing of a drug, device,
equipment, or other item in accordance with a prescription.
9.
Health Care
Operations. The term “Health Care Operations” is defined
in Section VIII.
10.
Health Care
Provider. The term “Health Care Provider” means a
provider of services, including a provider of medical or health services, as
defined in the Social Security Act, and any other person or organization that
furnishes, bills, or is paid for Health Care in the normal course of business.
11.
Health
Information. “Health Information” means any information,
whether oral or recorded in any form or medium, that:
a. is created or received by a Health Care
Provider, health plan, public health authority, employer, life insurer, school,
university or health care clearing house; and
b. relates to the past, present or future
physical or mental health or condition of an Individual, the provision of
health care to an Individual, or the past, present or future payment for the
provision of health care to an Individual.
12.
Health
Insurance Issuer. The term “Health Insurance Issuer” means an
insurance company, insurance service, or insurance organization (including an
HMO) that is licensed to engage in the business of insurance in a state and is
subject to state law that regulates insurance.
The term does not include a group health plan.
13.
HHS. The term
“HHS” means the United States Department of Health and Human Services.
14.
HIPAA. The term
“HIPAA” refers to Title II of the Health Insurance Portability and
Accountability Act of 1996.
15.
Individual. An
“Individual” is the person who is the subject of PHI.
16.
Individually
Identifiable Health Information. The term “Individually Identifiable Health
Information” means Health Information, including demographic information, taken
from an Individual which either identifies the Individual or with respect to
which there is a reasonable basis to believe the information can be used to
identify the Individual.
17.
Limited Data
Set.
The term “Limited Data Set” is defined at Part E(2) of Section XII.
18.
Marketing. The term
“Marketing” means to make a communication about a product or service that
encourages recipients of the communication to purchase or use the product or
service, unless the communication is made:
a. to
describe a health-related product or service (or payment for such a product or
service) that is covered by the Plan, including communications about the
entities participating in a Health Care Provider network or health plan
network; replacement of or enhancements to the Plan; and health-related
products or services available only to Plan enrollees that add value to, but
are not covered by, the Plan;
b. for treatment of the Individual; or
c. for the Individual’s case management or
care coordination, or to direct or recommend alternative treatments, therapies,
Health Care Providers, or locations for care to the Individual.
“Marketing”
includes an arrangement between the Plan and any other entity through which the
Plan discloses PHI to the other entity in exchange for direct or indirect
remuneration, so that the other entity or its affiliate may make a
communication about its own products or services that encourages recipients of
the communication to purchase or use those products or services.
19.
Organized
Health Care Arrangement. The term “Organized Health Care Arrangement”
means either:
a. an
organized system of health care in which more than one Covered Entity
participates, and in which each:
(i) holds
itself out to the public as participating in a joint arrangement; and
(ii) participates in joint activities that
include one or more of the following:
A. utilization
review, in which health care decisions by participating Covered Entities are
reviewed by other participating Covered Entities or by a third party on their
behalf;
B. quality
assessment and improvement activities, in which treatment by participating
Covered Entities is assessed by other participating Covered Entities or by a
third party on their behalf; or
C. Payment
activities, if the financial risk for delivering health care is shared, in part
or in whole by participating Covered Entities through the joint arrangement,
and if PHI created or received by a Covered Entity is reviewed by other
participating Covered Entities or by a third party on its behalf for the
purpose of administering the sharing of financial risk;
b. a
group health plan and a health insurance issuer or HMO with respect to the
group plan, but only with respect to PHI created or received by the health
insurance issuer or HMO that relates to Individuals who are or who have been
participants in the group health plan;
c. a
group health plan and one or more other group health plans maintained by the
same Plan Sponsor; and
d. the
group health plans described in "c" above and health insurance
issuers or HMOs with respect to these group plans, but only as to PHI created
or received by the health insurance issuer or HMO that relates to Individuals
who are or who have been participants in any of the group health plans.
20.
Payment. The term
“Payment” is defined in Section VIII.
21.
PHI. The term
“PHI” means Protected Health Information.
22.
Plan. The term
“Plan” refers collectively to all group health plans maintained by the Plan
Sponsor, which (a) are subject to the Privacy Rules; and (b) on account of
which Plan Sponsor is responsible to ensure compliance with the Privacy Rules.
23.
Plan Sponsor. The Plan
Sponsor is The Town of Cary, NC.
24.
Privacy Rule
or Rules. The terms “Privacy Rule” or “Privacy Rules”
shall mean the Standards for Privacy of Individually Identifiable Health
Information at 45 CFR Parts 160 and 164, Subparts A and E.
25.
Protected
Health Information. The term “Protected Health Information” means
Individually Identifiable Health Information, excluding information contained
in employment records of the Plan Sponsor that is transmitted or maintained in
any form or medium.
26.
Psychotherapy
Notes. The term “Psychotherapy Notes” means notes
recorded in any medium by a Health Care Provider who is a mental health care
professional documenting or analyzing the contents of a conversation during a
private, joint, group or family counseling session, and that are separate from
the rest of an Individual’s medical records.
The term does not include prescriptions for medication or monitoring,
the start and stop times of counseling sessions, the methods and frequencies of
treatments furnished, results of clinical tests, and any summary of diagnosis,
functional status, treatment plans, symptoms, prognosis, or progress to date.
27.
Research. The term
“Research” means a systematic investigation, including research development,
testing and evaluation, designed to develop or contribute to general knowledge.
28.
Secretary. The term
“Secretary” means the Secretary of the United States Department of Health and
Human Services, or any other officer or employee of HHS to whom pertinent
authority has been delegated.
29.
Standard
Transaction. The term “Standard Transaction” means a
transaction that complies with the standards adopted under 45 CFR Part 162.
30.
Summary Health
Information. The term “Summary Health Information” means
information that may be Individually Identifiable Health Information that
summarizes the claims history, claims expenses, or type of claims experienced
by Individuals under the Plan, and from which information described in Part
(B)(1)(b) of Section XII has been deleted, except that the geographic
information described in Part (B)(1)(b)(ii) of Section XII need only be
aggregated to the level of a five digit zip code.
31.
Treatment. The term
“Treatment” is defined in Section VIII.
II. RESERVED.
III. AN INDIVIDIUAL’S
RIGHT TO COMPLAIN ABOUT HIPAA VIOLATIONS TO THE SECRETARY OF HEALTH AND HUMAN
SERVICES
A. Right
to file a complaint.
An
Individual who believes that the Plan is not complying with the applicable
portions of HIPAA’s Privacy Rules, may file a complaint with the Secretary of
Health and Human Services (“HHS”).
B. Requirements
for filing complaints.
1. Complaints
to the Secretary of HHS must meet the following requirements:
a.
The complaint
must be in writing either on paper or electronically;
b.
the complaint
must name the entity that is the subject of the complaint and describe the acts
or omissions which the complaining Individual believes violate HIPAA;
c.
the complaint
must be filed within 180 days of the date the complaining Individual knew or
should have known that the alleged improper act or omission occurred, unless
this time limit is waived by the Secretary for good cause; and
d.
any other
requirements which the Secretary has properly imposed.
C. Investigation.
The
Secretary has the right to investigate complaints filed under the privacy
provisions of HIPAA. This investigation
can include a review of pertinent procedures or privacy practices of the Plan,
and of any circumstances regarding alleged acts or omissions relating to compliance.
IV. RESPONSIBILITIES
OF THE PLAN IN RESPECT TO THE SECRETARY OF HEALTH AND HUMAN SERVICES
A. Providing records and compliance reports.
The
Plan must keep records and submit compliance reports in the time and manner,
and containing such information, as the Secretary determines is necessary to
enable him or her to determine if the Plan has complied or is complying with
the applicable privacy requirements of HIPAA.
B. Cooperation with complaint investigation and compliance
reviews.
The
Plan must cooperate with the Secretary if the Secretary undertakes an
investigation or compliance review of its procedures or practices to determine
if it is complying with the applicable privacy requirements of HIPAA.
C. Permitting access to information.
1. The
Plan must permit access by the Secretary during normal business hours to its
facilities, books, records, accounts, and other sources of information,
including PHI, which may be pertinent to determining the Plan’s compliance with
applicable privacy requirements of HIPAA.
If the Secretary determines that appropriate circumstances exist (such
as hidden or destroyed documents), the Plan must permit access by the Secretary
at any time and without notice.
2. If any
information required from the Plan in connection with an investigation by the
Secretary is in the exclusive possession of another agency, institution or
person, and the other agency, institution or person fails or refuses to furnish
the information, the Plan must certify this fact and describe the efforts it
has made to obtain this information.
V. RESPONSIBILITIES
OF THE PLAN IN RESPECT TO THE SECRETARY OF HEALTH AND HUMAN SERVICES
A. Permitted and required uses and
disclosures.
1.
The Plan may not
use or disclose PHI, except as permitted or required by HIPAA privacy rules.
a.
The Plan is permitted
to use or disclose PHI:
(i) to
the Individual;
(ii) for
an Individual’s Treatment, Payment, or Healthcare Operations, as permitted by Section
VIII;
(iii)
as part of a use
or disclosure otherwise permitted or required by HIPAA Privacy Rules, as long
as the Plan has complied with the applicable requirements of Section V, XII,
and XVIII with respect to the permitted or required uses or disclosures;
(iv) pursuant
to an Individual’s valid Authorization under Section IX;
(v)
pursuant to an
agreement with the Individual or as otherwise permitted by Section X; and
(vi)
as permitted by
and in compliance with Section V, XII, and XVIII.
b.
The Plan is required
to disclose PHI:
(i) to an
Individual, as described in Sections XV and XVII; and
(ii) when
required by the Secretary of HHS in connection with a HIPAA privacy
investigation, or to determine the Plan’s compliance with HIPAA privacy rules.
B. Minimum necessary.
1. When using
or disclosing PHI or when requesting PHI from another Covered Entity, the Plan
must make reasonable efforts to limit the disclosed PHI to the minimum
necessary to accomplish the purpose of the use, disclosure, or request.
2.
Minimum necessary requirements do not
apply to:
a.
disclosures
to or requests by a Healthcare Provider for Treatment purposes;
b.
uses
or disclosures to an Individual, as permitted under Part A(1) above, or as
required by Part A(2) above;
c.
uses
or disclosures made pursuant to an Authorization under Section IX;
d.
disclosures
made to the Secretary of HHS in connection with a HIPAA privacy investigation,
or to determine compliance with HIPAA privacy rules;
e.
uses
or disclosures required by law, as described in Section XI; and
f.
uses
or disclosures required for compliance with privacy requirements of HIPAA.
C.
Uses
and disclosures of PHI subject to an agreed upon restriction.
1. If
the Plan has agreed to a restriction on the use or disclosure of PHI pursuant
to Section XIV, it may not use or disclose PHI in violation of the restriction,
except as otherwise provided in Section XIV.
D. Uses and disclosures to create
De-Identified PHI.
1.
The
Plan may use PHI to create information that is not individually identifiable
health information or disclose PHI to a Business Associate for this purpose,
whether or not the De-Identified Information will be used by the Plan.
2.
Health
information that meets the requirements for De-Identification under Section XII
is not PHI, and HIPAA privacy requirements do not apply to this De-Identified
Information, except that:
a.
disclosure
of a code or other means of record identification designed to enable coded or
otherwise De-Identified Information to be re-identified is disclosure of PHI;
and
b.
if
De-Identified Information is re-identified, the Plan may use or disclose the
re-identified information only as permitted or required by HIPAA privacy
requirements.
E. Disclosures to Business Associates.
1.
The
Plan may disclose PHI to a Business Associate and may allow a Business
Associate to create or receive PHI on its behalf, if the Plan obtains
satisfactory assurances that the Business Associate will safeguard the
information in an appropriate manner.
2.
This
requirement does not apply:
a.
with
respect to disclosures by the Plan to a Health Care Provider concerning the
Treatment of an Individual; or
b.
with
respect to disclosures to the Plan Sponsor by the Plan or a Health Insurance
Issuer or HMO with respect to a group health plan, to the extent that the
requirements of Section VII apply and are met.
3.
If
the Plan violates the assurances it provided as a Business Associate of another
Covered Entity, it will not be in compliance with the privacy requirements of
HIPAA.
4.
The
Plan must document the assurances required by this Part E through a written
contract or other written agreement or arrangement with the Business Associate
that meets the requirements of Section VI.
F. Deceased Individuals.
1.
The
Plan must comply with the privacy requirements of HIPAA with respect to the PHI
of deceased Individuals.
G. Personal representatives.
1.&n